I enjoyed reading a good natured rant about the vagaries of managing your identity online on the Des Res blog the other week. If, like me, you work for a large organisation, you’ll probably be obliged to follow strict rules on selecting a password for access to corporate systems. If, again like me, you use a lot of websites that require you to select credentials for logging in, you may struggle to manage a large (and constantly growing) set of strong passwords without writing them down. In these circumstances, it’s very tempting to re-use the strong password for your work systems for other purposes.

Identity 2.0

Identity 2.0 or digital identity has long promised to solve these problems in a world where a user can potentially have one online identity, with a pre-certified proof which is submitted when required for authentication. This model is represented by Microsoft’s Cardspace and the open source Higgins project, but has been slow to gain momentum. However, in recent years, a number of the larger IAM vendors, starting with CA Technologies, have added support for these technologies to their Web Access Management products.

Multiple Identities Online

Of course, being able to use a single identity and set of credentials for all your online activities is a real “good news/bad news” story. The convenience of managing a single set of credentials comes at a price: it’s quite conceivable that your visits to different websites could be aggregated and correlated, to build a far more comprehensive (and revealing) picture of your online activity than you might feel comfortable with. It’s also true to say that not all web sites we visit (and register for) justify the same level of strength in authenticating our identity. For example:

Online Banking: There’s so much at stake if your banking credentials become compromised that it’s obvious to all but the hard of thinking that those credentials should never be used elsewhere. In a previous post, I described how my bank allows me to be warned if I try to re-use internet banking credentials on another site, by providing me with a free copy of Trusteer Rapport. This protection can be easily extended to other high risk sites.

Social Media: As I’ve described on these pages before, I use a wide range of social media applications (in the widest sense of the term) to maintain my contact list, collect and collate information and publicise this blog. Each site requires a separate set of credentials, but increasingly I’m offered the chance to sign in to one application using the credentials from another (very often, either Twitter or Facebook). This makes use of the Open Authentication (OAuth) protocol. OAuth allows the user to authenticate with their chosen service to generate a token. The token can then be used to allow another application to access resources for a given period of time. So, for example, when configuring Tweetdeck, I authenticate in turn to Twitter, Facebook, LinkedIn and Google Buzz and authorise Tweetdeck to use the OAuth tokens to retrieve data from those applications until I revoke that access.

Single Sign On
This still leaves a wide range on different sites that require a login. I use a wide range of Cloud Services, including Drop Box (of which, more in a moment), Windows Live Mesh, Mind Meister (for collaborating on mind maps), MobileNoter (for sharing and synchronising Microsoft OneNote) and of course, Google Docs. These (or at least the data I entrust to them) are important enough to me to warrant good quality credentials and together they make a good case for Single Sign On. With more than 10 years’ experience in Identity Management projects, I’ve always viewed SSO as primarily a user productivity tool, with some incidental security benefits. However, I came across a story on Mashable, describing tools for managing web passwords and quickly realised that I could:

Store all my credentials in a single location;

Secure them with a single strong password, which never leaves my machine;

Synchronise that credential store across multiple computers by locating the credential store on Drop Box;

Use the same, synchronised solution on my iPhone.

So, armed with these requirements and the Mashable product reviews, I eventually settled on 1Password. As well as a management app, which sits in the system tray, 1Password installs a plug-in for all the modern browsers (I’m using it with IE and Firefox) which detects when you’re completing a registration or login form and prompts you to save the credentials. Next time you visit the site, just press the 1Password button to login. Incidentally, the Mashable article mentions that 1Password is primarily a Mac product, with a Windows version in beta. The Windows version is now in fact available as a paid-for GA product.

Summing Up

So, in conclusion, it’s possible to figure out a strategy to at least simplify sign on and credential management to a wide range of web sites and applications, each with differing needs for strength and protection. By and large, the tools to do this a available for free and even the commercial components I chose are available for a very modest fee. All in all, the benefits far outweigh the modest outlay of time and cash.

In my very first blog, I described how I was building an information management architecture around Microsoft’s OneNote 2007. As I’ve settled into my new life as an independent consultant, I’ve stumbled across the first difficulty in the strategy I set for myself. I now have a laptop to take on the road with me and it would be useful to keep the OneNote notebook on there synchronised with the “master” copy on the desktop PC in my home office. It’s not as bad as it might seem – while there are two copies of the resources on two separate machines, there’s only one user (me) using only one of the machines at any one time. Of course, I can just copy the relevant folders to the laptop before I set off and then copy them back when I return. Seems simple enough – I may even remember to do it most of the time.

So, this led me to investigate and then to sign up for the beta version of Live Mesh, Microsoft’s cloud service, built on the Azure services platform. For the techies, there’s a decent description of how it all fits together in Wikipedia , but in simple terms, you get 5GB of storage in the cloud, which can be shared between multiple users and synchronised across multiple machines. As Dan rightly points out, this isn’t real multi-user collaboration. For that, you’d be better served using the multi-user synchronisationcapabilities built into OneNote. However, it does fit my nomadic style of working very well. I trialled it by using OneNote on my laptop to compose an earlier entry on this blog during a train trip into London. On arrival, I used the free wi-fi service at a coffee shop to sync my work back to my office PC and it was ready for final edit and publishing to WordPress when I got home that evening.

No doubt the time will come when I need to give access to OneNote folders to other people. This is no problem to Live Mesh. You can invite another user to share the folder – just open the folder on the Live Desktop and use the “Members” option from the mesh bar to email the person you’re inviting. You get to choose whether they get rights as owner, contributor or just reader. Simple. The invitee can then synchronise the shared folder across all the devices in their Live Mesh, and they can invite other people in the same manner.

Of course, this is the point where you’d have to use OneNote’s multi-user synchronisation capabilities, something I haven’t had the need (or the time) to try out yet.

OneNote in your Pocket

When I’m out and about, I don’t always need to take my laptop with me. Oftentimes, my iPhone has most of what I’ll need – diary, contacts, email, even free phone calls over Skype. By the way, have you noticed how often now people will respond to a question by saying “There’s an app for that!” and looking hugely pleased with themselves? I mentioned in a previous blog that Mobilenoter has developed an iPhone client for OneNote. Their app has been in closed beta since late August, but a few days ago, the beta was thrown open to all comers. I was quick to take advantage of the offer, downloading the iPhone app and also the Windows sync client. I won’t repeat my earlier description of what this app can do, but I will say that it does it all perfectly. There was a glitch with the Windows sync client, when I first downloaded. I logged a support issue and got a reply the next day to say that a new version of the client, fixing the bug, was ready for download. How’s that for service? (I’d love to show you how the OneNote pages are displayed on the iPhone, with the formatting, graphics and links all intact. If anyone knows how to take a screen shot on the iPhone, I’d love to hear from you!)

Next Step – Mind Maps in the Cloud

I’m working at the moment with some people in Dubai, developing the early stages of some service offerings. Our chosen format for this work is mind maps. Now, mind mapping is a technique I learned many years ago (on paper, using coloured pens – yes, really!). More recently, I’ve had great service from the very capable Freemind. Inevitably, I want to be able to work with mind maps while travelling, so I’ve just downloaded Mindmeister for my iPhone. This is part of the web-based Mindmeister service and in theory allows any of us to create a mind map in Freemind (for example) and then share it through the web service with the other collaborators. I’ll let you know how we get on in practice.